Welcome to Splunk Answers, a Q&A forum for users to find answers to questions about deploying, managing, and using Splunk products. Contributors of all backgrounds and levels of expertise come here to find solutions to their issues, and to help other users in the Splunk community with their own questions.

This quick tutorial will help you get started with key features to help you find the answers you need. You will receive 10 karma points upon successful completion!

Refine your search:

Correlation Search - results not displaying correctly

0

Ive been spending a long time trying to get 1 correlation search working. The search is to find non standard hostnames that have been assigned a dhcp address, this would cover a scenario where a rogue laptop is plugged into the network.

description=assign dest_ip!="10.50.x.1/20 dest_ip!=10.51.x.1/21" dest_ip!="10.49.x.1/27" | rex mode=sed field=dest "s/.company.domain.com//g" | where NOT like(dest, "Prefix1%") AND NOT like(dest, "Prefix2%") AND NOT like(dest, "Prefix3%") AND NOT like(dest, "Prefix4%") AND dest!=dest_mac

sourcetype=DhcpSrvLog description=assign | rex mode=sed field=dest "s/.company.domain.com//g" | where NOT like(dest, "Prefix1%") AND NOT like(dest, "Prefix2%") AND NOT like(dest, "Prefix3%") AND NOT like(dest, "Prefix4%") AND NOT like(dest_ip, "10.50.96.1/20") AND NOT like(dest_ip, "10.51.80.1/21") AND NOT like(dest_ip, "10.49.16.1/27") AND dest!=dest_mac

Running this search now. The Prefix filtering is working, however the NOT like(dest_ip, "10.51.80.1./21) IP range filtering is not working. The results include those IP ranges

Have spent a lot of time on this today and still getting no where, frustrating!Using standard splunk search I can use:

description=assign | where NOT cidrmatch("10.50.96.1/20",dest_ip) | where NOT cidrmatch("10.50.80.1/21",dest_ip) | where NOT cidrmatch("10.49.16.1/27",dest_ip) | rex mode=sed field=dest
"s/.company.domain.com//g" | where NOT like(dest, "Prefix1%") AND NOT like(dest, "Prefix2%") AND NOT like(dest, "Prefix3%") AND NOT like(dest, "Prefix4%") AND dest!=dest_mac

I get the desired results where I see hostnames with prefix's not specified in the search. Maybe 4 or 5 hostnames (dest field).

Ive turned the same syntax into a correlation search (check parsing using guided mode too - but leave the search as manual) and create a notable event, with the title"Suspicious Host Discovered - $dest$ at $time$ on $date$"I instead see:"Suspicious Host Discovered - unknown at unknown on unknown"

There are also multiple events created (10s or 100s). If a normal search has 4 results, why does the incident dashboard not show 4 notable events from the correlation search which uses the same syntax? Doesnt seem very intuitive. Tomorrows another day.